On Mon, Aug 29, 2016 at 11:28 PM, Paul Wouters <[email protected]> wrote: > On Mon, 29 Aug 2016, Spencer Dawkins wrote: > >> ---------------------------------------------------------------------- >> COMMENT: >> ---------------------------------------------------------------------- >> >> This sentence doesn't parse for me - or maybe I just need more security >> clue? >> >> "IKEv1 using shared secret authentication was partially resistance to >> quantum computers." > > > s/resistance/resistant
Update has been made, thanks. > >> I don't object to this text >> >> "There have been middle boxes blocking IKE negotiation over UDP. To >> make IKE work in these environments, IKE packets need to be >> encapsulated in a TCP tunnel. > > > "In a TCP tunnel" is perhaps a little confusing, as IPinIP or an IPsec > tunnel was not meant. Instead, we meant "encapsulated in TCP". OK, I am changing this text too, thanks. > >> The group will define a mechanism to >> tunnel IKE and IPsec over a TCP-based connection. This method is >> intended to be used as a fallback when IKE cannot be negotiated over >> UDP. The group will create a method where IKEv2 and IPsec packets can >> be encapsulated in the TCP connection." > > > >> going for external review, but I'd love to understand better what the >> resulting protocol stack looks like. I get the part about encapsulating >> IKEv2 in TCP, but is encapsulating IPsec in TCP going to give us a >> general-purpose "IP over TCP" mechanism? > > > It will be "ESP over TCP" similar to how we now have "ESP over UDP". We should be more explicit here, I agree with Spencer. The IKE part is clear since that's UPD 500. Would this be transport mode ESP only? If that's the case, how is the following alteration to the text: The group will define a mechanism to tunnel IKE and IPsec over a TCP-based connection. This method is intended to be used as a fallback when IKE cannot be negotiated over UDP. The group will create a method where IKEv2 and IPsec ESP transport mode packets can be encapsulated in the TCP connection." Working group: If I've changed the intent too much, please suggest other wording. Thanks > > Paul > -- Best regards, Kathleen _______________________________________________ IPsec mailing list [email protected] https://www.ietf.org/mailman/listinfo/ipsec
